Artikel in der Kategorie "Threat Hunting" :

The new (as of 10.05.2017) version of mimilib (a DLL with a subset of mimikatz features) supports the DNS serverlevel plugin API and the DHCP server Callout plugin API. In this post I will quickly cover how to inject the DLL into DHCP service and how to detect it using Windows Eventlogs and Sysmon.

The Windows DNS Server management protocol, which is based on RPC, allows DnsAdmins and higher privileged Users to load arbitary dlls as plugins into the DNS service via DnssrvOperation2. Here's how to monitor for that event.